Unveiling the Evolution of Ransomware: From WinLock to Rorschach

Ransomware attacks have undergone a remarkable evolution over the years, inflicting significant financial and reputational damage on organizations and individuals worldwide. Below, we explore a selection of prominent ransomware examples, shedding light on the modus operandi and impact of these nefarious cyber threats.

Below are some notable ransomware examples along with their characteristics:

  1. Rorschach (2023): Initially identified after an attack on a US-based company, Rorschach, a variant of BabLock ransomware, stands out for its rapid encryption speed. It spreads through various channels such as security vulnerabilities, phishing emails, malvertising, and malicious software downloads, primarily targeting large businesses and industrial sectors. Ransom demands range from thousands to millions of US dollars. In a significant incident in October 2023, Rorschach disrupted the operations of Grupo GTD, a major Chilean telecommunications provider operating across Latin America. Notably, Rorschach employs a partly autonomous and self-propagating mechanism, utilizing Active Directory Domain Group Policy Objects (GPO) for quick propagation across networks. Unlike typical locker ransomware, it utilizes hybrid cryptography for efficient partial file encryption, ensuring speedy encryption processes.

  2. LockBit 3.0 (2022): Also known as LockBit Black, this ransomware variant gained widespread usage in 2022, primarily targeting large organizations and government entities by exploiting network security vulnerabilities. Ransom demands often amount to millions of US dollars. In a notable incident, LockBit breached Boeing’s internal data in October 2023, leading to data leakage after Boeing refused to pay the ransom. LockBit also targeted the US Cybersecurity and Infrastructure Security Agency (CISA) along with 1,700 other US organizations. LockBit 3.0 gained further notoriety for its bug bounty program, offering rewards to individuals who identified bugs in its ransomware code.

  3. Black Basta (2022): Unleashed in 2022, Black Basta infiltrated the cybersecurity defenses of nearly 100 organizations, including notable entities such as the American Dental Association, ABB, Yellow Pages Canada, Deutsche Windtechnik, Thales, and Capita. Its malicious activities have amassed over $100 million from over 300 infections. Employing a double extortion strategy, the perpetrators behind Black Basta encrypt critical data and servers while also threatening to expose sensitive information on public leak sites.

  4. Royal (2022): Operating since September 2022, the Royal ransomware gang has targeted more than 350 organizations globally, with a focus on critical infrastructure. Their ransom demands range from $1 to $11 million in Bitcoin, resulting in a total extortion amount of approximately $275 million. Distinguished by its efficacy and elusiveness, Royal utilizes a specific partial encryption method to encrypt minimal data, evading detection by anti-malware software. Furthermore, the gang exfiltrates and extorts victims’ data before encryption, resorting to public data leaks if ransoms are not paid.

  5. BlackCat (2021): BlackCat, also known as ALPHV, made headlines as the first ransomware strain written in the Rust programming language. Capable of encrypting both Windows and Linux devices, as well as VMWare instances, BlackCat exploits vulnerabilities in Exchange Server, SonicWall, and Windows systems. This ransomware group has compromised over 1,000 entities, primarily in the US, demanding over $500 million in total, with nearly $300 million received in blackmail payments. Notable victims include Oiltanking GmbH, Swissport, Western Digital, and the Austrian state of Carinthia.

  6. Hive (2021): The Hive ransomware group gained notoriety after targeting the Costa Rican Social Security Fund in 2022. Hive infiltrates systems through various means, including RDP and other remote network connection protocols, phishing scams, and exploitation of security vulnerabilities. Employing triple extortion techniques, Hive has breached the cybersecurity of over 1,300 companies worldwide, receiving approximately $100 million in ransom payments. Its targets span various sectors, with a particular focus on IT, critical infrastructure, and healthcare.

  7. DarkSide (2020): DarkSide made headlines by attacking the Colonial Pipeline in early May 2021, resulting in severe disruptions to fuel supply along the US East Coast. With a ransom demand of $4.4 million, company executives opted to pay. DarkSide primarily targets large, high-revenue organizations to encrypt and steal sensitive data, demanding million-dollar ransoms. In response to pressure from the US government in mid-2021, the ransomware gang announced the suspension of its operations.

  8. Egregor (2020): Egregor is a double extortion ransomware strain that has targeted various entities, including Barnes & Noble, Kmart, and video game developers Ubisoft and Crytek. Spread through stolen credentials, hacking remote access technologies, and spear-phishing scams, Egregor demanded ransom amounts ranging from $100,000 to $35 million. Following the arrest of several affiliates in 2021, the gang’s infrastructure went offline.

  9. REvil (2019): REvil ransomware shares similarities with the notorious GandCrab strain and primarily spreads through phishing emails containing malicious attachments and links. Utilizing the ransomware-as-a-service (RaaS) model, REvil allows cybercriminals to utilize its infrastructure in exchange for a share of their profits. Notable targets of REvil include high-profile entities like Lady Gaga, a law firm associated with Donald Trump, Acer, Apple, Kaseya, and HX5. Ransom demands often reach millions of dollars, tailored to the financial capacity of the victims. For instance, in 2021, JBS Foods paid an $11 million ransom to decrypt its data.

  10. Maze (2019): Maze ransomware emerged in 2019, spreading through spam emails, RDP attacks, and exploit kits. It gained notoriety for pioneering the double extortion model, where hackers not only encrypt data but also threaten to release it if the ransom is not paid. One of Maze’s most significant attacks targeted the IT service provider Cognizant in 2020, resulting in damages of approximately $60 million. Despite its impactful operations, Maze suspended its activities by the end of 2020.

  11. GandCrab (2018): Infamous for its aggressive ransomware-as-a-service (RaaS) operations, GandCrab spread through various channels, including emails, exploit kits, and malware campaigns. The group demanded payments in cryptocurrencies like Bitcoin or Dash, ranging from a few hundred to several thousand US dollars, for decrypting stolen data. Estimated to have infected over 1.5 million machines, GandCrab’s criminal activities amassed earnings of over $2 billion before the group retired in 2019, releasing a decryption tool.

  12. Lapsus$ (2021): Making headlines in 2021, the Lapsus$ hacking group gained notoriety for its attack on the Brazilian Ministry of Health’s website and subsequent disruptions to their systems. Employing a blend of social engineering tactics and sophisticated hacking tools, Lapsus$ has targeted industry giants such as Nvidia, Samsung, Microsoft, Vodafone, and Ubisoft. Unlike traditional ransomware, Lapsus$ relies on a versatile arsenal of techniques rather than a single malware variant, highlighting the group’s adaptability and cunning strategies.

  13. Ryuk (2018): Emerging in 2018, Ryuk ransomware spreads through phishing emails containing malicious Microsoft Office attachments. Notably, it targeted multiple US newspapers in 2018, gaining attention for its impact. Ryuk typically focuses on governments, school systems, healthcare organizations, and other public and private sector companies. Estimates suggest that Ryuk generated over $60 million in the years following its emergence and remains active to this day.
  14. WannaCry (2017): WannaCry exploited vulnerabilities in outdated versions of Windows, utilizing the EternalBlue exploit believed to be developed by the US National Security Agency and leaked by The Shadow Brokers hacker group. The ransomware spread rapidly, affecting over 300,000 devices in 150 countries, predominantly in healthcare and utility sectors. Despite demanding relatively low payments of $300-600 USD in Bitcoin for decryption, the financial damage to companies reached into the millions. Authorities managed to halt the attack, identifying two North Korean hackers as the culprits. WannaCry underscores the critical importance of regularly updating systems to prevent such attacks.

  15. Bad Rabbit (2017): Bad Rabbit ransomware spreads by masquerading as an Adobe Flash installer in drive-by downloads on compromised websites. Users can unwittingly infect their devices simply by browsing a malicious site. Once infected, victims receive a ransom demand in Bitcoin, with the amount increasing if payment isn’t made within 40 hours. In 2017, Bad Rabbit primarily targeted organizations in Russia and Ukraine but also affected systems in other countries such as Türkiye, Bulgaria, Germany, and Japan.

  16. Petya (2016): The Petya ransomware attack originated in Germany in 2016, targeting Microsoft Windows-based systems of businesses and corporations. It spread through phishing emails containing malicious Word documents. Unlike typical ransomware, Petya encrypted the master file table (MFT) and replaced the master boot record (MBR) with malicious code, rendering the entire system unusable until a ransom was paid. In 2017, a variant called NotPetya caused extensive damage and disruption to numerous Ukrainian businesses and infrastructure, highlighting the importance of cautious email practices.

  17. SamSam (2016): SamSam ransomware inflicted significant damage on governmental and healthcare organizations in the US by exploiting weak passwords through brute-force attacks and phishing emails. In 2018, cybercriminals used SamSam to target the city of Atlanta and Colorado’s Department of Transportation, extorting over $6 million and causing $30 million worth of damage. SamSam underscores the importance of using strong passwords to safeguard data.

  18. Locky (2016): Locky is a ransomware strain distributed via email, specifically targeting Windows devices. It relies on user interaction, prompting them to enable macros in a document attached to the email. Upon agreement, Locky downloads a trojan that encrypts files with specific extensions. Victims are then directed to use the Tor browser to follow instructions for payment in Bitcoin. In 2016, Locky gained attention after infecting computers at a California medical center, demanding a ransom of 40 Bitcoin (approximately $17,000 at the time). Despite not being recommended, the hospital paid the ransom to regain access to their data


    Cerber (2016): Cerber is another ransomware-as-a-service (RaaS) model that emerged in 2016, contributing to attackers’ earnings of around $200,000 that year. It primarily targets Microsoft Office users in post-Soviet countries and spreads through phishing emails. Notably, Cerber includes a unique feature where the ransom note is read aloud to the victim as a voice message.

  20. ZCryptor (2016): ZCryptor is notable for being one of the first cryptoworms, exhibiting characteristics of both a computer worm and ransomware software. This hybrid nature enables ZCryptor to spread autonomously across networks, encrypting files on infected devices and demanding a ransom for decryption. Typically demanding a ransom payment of 1.2 Bitcoin, ZCryptor would escalate the demand to 5 or more Bitcoin if the victim failed to comply, amounting to several thousand US dollars. It primarily targeted individual users through phishing emails and counterfeit software installers.

  21. Jigsaw (2016): Jigsaw is injected into devices through compromised Flash updates, potentially infecting devices while users browse legitimate websites. Upon infection, Jigsaw encrypts over 200 file types and gained notoriety for its aggressive tactics. If the victim failed to pay the ransom of $150, Jigsaw progressively deleted the encrypted files, employing a countdown timer and disturbing imagery for intimidation. The operators of Jigsaw targeted both businesses and individuals indiscriminately.

  22. Fusob (2015): Fusob ransomware targets mobile devices and employs tactics similar to Reveton by posing as a legal authority to intimidate users. It demands a ransom of $100-200 USD, typically payable via an iTunes gift card. Fusob primarily targets users in Western Europe and the US. Cybercriminals distribute Fusob through a video player offering adult content. Onceinstalled, Fusob locks the device and demands payment of the ransom.

  23. CryptoWall (2014): CryptoWall emerged as one of the most devastating malware threats in 2014. Within that year, it infected over 630,000 systems, resulting in cybercriminals receiving over 1.1 million US dollars in ransom payments ranging from $200 to $10,000 USD. CryptoWall spreads through phishing emails and malicious advertisements on legitimate websites, including those owned by Disney, Facebook, and The Guardian. These attacks could have been mitigated through software updates and server backups.

  24. SimpleLocker (2014): SimpleLocker was among the earliest ransomware to target Android devices. It encrypted files stored on the device’s storage, including images, videos, and documents, and locked the screen, rendering the operating system inaccessible. The ransom note displayed was in Russian. SimpleLocker primarily targeted individual Android users in Eastern Europe, demanding a relatively modest ransom payment of under $50 USD to unlock files stored on SD cards.


    Cryptolocker (2013): Cryptolocker, active between 2013 and 2014, extorted approximately 3 million US dollars, primarily from small to medium-sized businesses and individuals. Cybercriminals used a Trojan to target Windows computers. Through compromised emails and a botnet for distribution, Cryptolocker encrypted files using keys stored on the cybercriminals’ servers. Victims were compelled to pay the ransom before a deadline, or risk permanent destruction of the encryption key. Typically, the ransom increased after the deadline. Law enforcement dismantled the botnet and obtained the decryption keys. Nonetheless, Cryptolocker’s “success” spurred numerous copycat ransomware attacks.

  26. Reveton (2012): Reveton operated as a financial extortion ransomware distributed via drive-by-download attacks. Upon infecting a computer, it would lock the user out of their system and display a counterfeit law enforcement warning. This warning falsely accused the user of engaging in illegal activities, such as downloading inappropriate content or pirated software, and demanded a fine of 300 US dollars under the threat of imprisonment. However, the fine was merely a ploy to extort money from victims, funneling funds directly to the cybercriminals. Over time, Reveton evolved to incorporate tactics like utilizing victims’ webcams, demanding payments in Bitcoin, distributing password-stealing malware, and infecting MacOS and mobile operating systems.


    WinLock (2008): WinLock stands as one of the earliest instances of locker ransomware. It targeted PC users by seizing control of their Windows operating systems, displaying pornographic images, and demanding payment to regain access. Primarily aimed at individual users, WinLock exploited their relatively lower security awareness and the limited protection typically found on personal computers. Victims were typically coerced into paying a ransom equivalent to a few dollars via a text message. Those responsible for WinLock were apprehended in 2010, having amassed approximately 16 million US dollars through their SMS-based extortion scheme.

Here are the main types of ransomware:

  1. Crypto ransomware: Encrypts computer files and demands a ransom payment for decryption. Targets both individuals and organizations.

  2. Locker ransomware: Blocks access to the entire computer system, including the operating system, desktop, files, and applications. The ransom note usually appears on the locked screen.

  3. Scareware: Attempts to deceive users by presenting false claims of malware infections or technical issues. Users are prompted to pay a fee or purchase software to resolve the fabricated problem, leading to further malware installation.

  4. Leakware (Doxware): Threatens to publicly release sensitive data from the victim’s computer unless a ransom is paid. Unlike typical ransomware, it does not encrypt data but uses the threat of exposure as leverage.

  5. Double extortion ransomware: Encrypts data and threatens to release it to the public unless a ransom is paid, combining data encryption with data leakage threats.

  6. Ransomware-as-a-service (RaaS): A business model where ransomware developers lease their ransomware variants to other cybercriminals, making ransomware attacks more accessible to less skilled attackers.

  7. Mobile ransomware: Targets mobile devices by locking the device or encrypting files, then demanding a ransom for unlocking or decrypting.

  8. State-sponsored ransomware: A sophisticated attack launched by a nation-state, often as part of a larger political or economic strategy. It may target critical infrastructure.

To protect against ransomware, it’s crucial to stay informed about phishing scams and other social engineering tactics. Regularly updating security software and using secure authentication methods are also important measures to mitigate the risk of ransomware attacks. Stay vigilant for signs of malware and prioritize cybersecurity awareness.

3 Steps to use VPN


Sign upBuy an affordable VPN account.


ConnectConfigure the VPN on your device.


Enjoy VPNEnjoy the benefits of a VPN today.

Get a VPN Account

Connect & Enjoy: Internet Freedom, Privacy & security. Purchase your VPN today!

Recommended Posts